The widely anticipated iOS 6 release brings over 200 new features to supported iOS devices. These features include a new maps app, updated Siri features, VIP mailboxes, deep Facebook integration, Passbook, and many internationalization enhancements. iOS 6 ships with iPhone 5 and the 5th generation iPod touch, and is generally available for other select iOS devices as of September 19, 2012. While most of the new capabilities are consumer-focused, Mobile IT professionals will find a number of features valuable in the enterprise environment. This document provides an overview of enterprise capabilities new to iOS 6 and guidelines for implementation using MobileIron.
The new enterprise-focused capabilities of iOS 6 include:
- Global HTTP proxy*
- Single-App Mode*
- Restrictions for Game Center*, iMessage, Passbook, iBookstore*, Shared photo streams
- Prohibiting users from manually installing configuration profiles*
- Disabling diagnostics submission to Apple
- PIM privacy settings
* Requires “supervision” by the Apple Configurator. See the Apple Configurator section later in this document for information on Configurator usage.
Global HTTP Proxy
HTTP proxies are useful for environments where web content filtering and auditing is required. In iOS 5, HTTP proxy support was limited to individual Wi-Fi and VPN connections. In iOS 6, an HTTP proxy can be applied globally to a device. Information Security professionals can now scan and filter web content even if the device is joined to any Wi-Fi network or cellular network.
When the Global HTTP Proxy setting is configured on iOS 6 device, HTTP traffic is routed to a proxy server that the IT admin specifies. If that server is not reachable for any reason, the apps on the device that use HTTP as a transport mechanism will not be able to send or receive data. Restricting this web traffic requires that apps use the native iOS networking APIs.
The Global HTTP Proxy can be enabled only on devices that were originally set up and supervised by Apple Configurator.
Single App Mode
When the Single-App Mode setting is enabled, only the app specified by the Mobile IT team can be run on the device. This is useful for kiosk-like deployments. For example, an iPad used only as a product catalog for a clothing retailer; an iPod touch with a hardware sled for barcode scanning and credit card swiping used as a point-of-sale device at an electronics retailer. These devices typically have a locked-down configuration, where the device should run only one app.
When Single-App Mode is enabled, the Home button and features such as taking a screenshot or receiving notifications are disabled. The device will return to the specified app automatically upon wake or restart.
Single-App Mode can be enabled only on devices that were originally set up and supervised by Apple Configurator.
iOS 6 introduces several device restrictions:
- Allow Game Center*. Disallow to remove the Game Center icon from the home screen.
- Allow use of iBookstore*. Disallow to disable the iBookstore on the device.
- Allow iBookstore erotica*. Disallow to prevent users from downloading media tagged as erotica from the iBookstore.
- Allow iMessage*. Disallow to remove the Messages icon from the home screen and prevent the device from receiving iMessages.
- Allow Passbook while locked. Disallow to prevent display of Passbook notifications on the lock screen.
- Allow Shared Photo Stream. Disallow to disable the ability to share photos with specified contacts and to receive updates for shared streams.
- Allow user configuration profile installation*. Disallow to prohibit the user from installing configuration profiles and certificates interactively.
* Requires devices that were originally set up and supervised by the Apple Configurator.
iOS 6 includes new privacy features that enable end-users to restrict third-party app access to user data and other services:
- Reminders (Tasks)
- Bluetooth Sharing
Note that photos can contain location data.
Permissions can be set per service for each app that has requested access to the service. These settings are not available for remote management via MDM; however, Mobile IT staff can still recommend that end-users manually configure these permissions as needed for adherence to corporate security policy.
Alternatively, restrictions can be enforced at an app level. Consider using MobileIron AppControl rules to disallow apps that violate acceptable use policies, rather than attempting to manually provision privacy settings for the services themselves.
Apple Configurator and Supervision
Many of the iOS 6 enterprise capabilities require Apple Configurator “supervision”. Apple Configurator is a mass configuration tool that can be used to install a baseline configuration prior to MobileIron enrollment. This may include installing the latest version of iOS or settings for a Wi-Fi network used for MobileIron enrollment.
The “supervised” device attribute indicates the device will remain in direct control of the Mobile IT team and enables additional capabilities more applicable to corporate-liable deployments. This includes deployments for dedicated tasks (ex. field service deployments, retail point-of-sale devices), “loaner” devices used in hospitality and services, and devices shared among students in a classroom lab.
NOTE: When enabling supervision, Apple Configurator will erase all device data and return the device to factory defaults. Therefore, supervision is not an adequate option for BYOD programs, or other deployments where personal data must be preserved.
iOS 6 Hardware Support
The following devices can be updated to iOS 6:
iPad (3rd generation) Wi-Fi
iPad (3rd generation) Wi-Fi + Cellular (ATT)
iPad (3rd generation) Wi-Fi + Cellular (Verizon)
iPad 2 Wi-Fi (Rev A)
iPad 2 Wi-Fi
iPad 2 Wi-Fi + 3G (GSM)
iPad 2 Wi-Fi + 3G (CDMA)
iPhone 4 (GSM)
iPhone 4 (CDMA)
iPod touch (4th generation)
In addition, iPhone 5 and iPod touch (5th generation), available in September 2012, will ship with iOS 6.
MobileIron is Ready
MobileIron welcomes these exciting new enhancements and believes they will accelerate momentum for Mobile
IT. Our current generally available release, MobileIron VSP v4.5.4, secures and manages newly registered iOS 6 devices, as well as existing devices under management that are updated to iOS 6.
The new iOS 6 capabilities mentioned in this document, excluding the privacy settings, can also be deployed and managed by MobileIron VSP v4.5.4. You can even use MobileIron for over-the-air management of settings requiring Configurator supervision. If devices are initially supervised using the Configurator, these settings can be later deployed and updated via MobileIron.